Microsoft Security Advisory CVE-2018-0764: Denial of Service when parsing XML documents

[blowdart]

Microsoft Security Advisory CVE-2018-0764

Denial of Service when parsing XML documents

Executive Summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 1.1, and 2.0. This advisory also provides guidance on what developers can do to update their applications correctly.

Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.

The update addresses the vulnerability by correcting how .NET core handles XML document processing.

System administrators are advised to update their .NET Core runtimes to versions 1.0.9, 1.1.6 and 2.0.5. Developers are advised to update their .NET Core SDK to version 2.1.4 or 1.1.7. These runtime and SDK versions will also address CVE-2018-0786.

Discussion

Please use dotnet/corefx#26237 for discussion of this advisory.

Affected Software

The vulnerability affects any Microsoft .NET Core project if it uses any of affected runtime versions listed below

Runtime Version	Fixed runtime version
1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.7, 1.0.8	1.0.9
1.1.0, 1.1.1, 1.1.2, 1.1.4, 1.1.5	1.1.6
2.0.0, 2.0.3, 2.0.4	2.0.5

Advisory FAQ

How do I know if I am affected?

To check the runtimes installed on a computer you must view the contents of the runtime folder. By default these are

Operating System	Location
Windows	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
macOS	/usr/local/share/dotnet/shared/Microsoft.NETCore.App/
Supported Linux platforms	/usr/share/dotnet/shared/Microsoft.NETCore.App/

Each runtime version is installed in its own directory, where the directory name is the version number. If you do not have a directory for 1.0.9, 1.1.6 or 2.0.2 then any applications targeting .NET Core will be vulnerable. Downloads for all supported platforms can be acquired from https://www.microsoft.com/net/download/

How do I fix my affected application?

Applications can be fixed by installing the latest runtimes or SDKs. Typically application servers only install a runtime package, developer machines install SDKs. Installers can be downloaded from the Runtime and SDK download archive. Runtime version 1.1.6 will also install runtime version 1.0.9.

If you have built a self-contained application you must install the new runtime and SDK, recompile your application and redeploy.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET Core, please email details to secure@microsoft.com. Reports may qualify for the .NET Core Bug Bounty. Details of the .NET Core Bug Bounty including Terms and Conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET Core or ASP.NET Core organizations. These are located at https://github.com/dotnet/ and https://github.com/aspnet/. The Announcements repo for each product (https://github.com/dotnet/Announcements and https://github.com/aspnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.

What if the update breaks my application?

An application can be pinned to a previous version of the runtime by editing the application.runtime.config file for that application and editing the framework version and setting rollForward to false. This should be treated as a temporary measure and the application updated to work with the patched versions of the framework.

Note that this file is optional, you may need to create it for each application alongside the executable.

External Links

CVE-2018-0764

Revisions

V1.0 (Jan 9, 2018): Advisory published.

Version 1.0
Last Updated 2018-01-09